Admission requirements
Admission only after intake, see our website.
Description
Cyber security issues are conceptualised as risk management problems, both in academia and in the public and private sector. By identifying which risks play a role in making cyberspace insecure, and assessing the likelihood and impact of these risks, we can gain a better understanding of the cybersecurity challenges we face, and we can improve our detection, prevention and mitigation techniques, or so the common reasoning goes. The risk management paradigm was first developed in the middle of the twentieth century in a field that has collectively come to be known as ‘Safety Science’. This engineering-driven field has contributed greatly to increasing the safety of e.g. industrial plants, airplanes, cars, hospitals, workplaces and so on and so forth. Risk management is the main approach to risk that was developed to bring this about.
Due to its success in making the world a safer place, risk management has gradually come to be a dominant lens in all areas of life where risks play a role. Its core tenets, of identifying and assessing risks using models and calculations with respect to the likelihood and impact of risks has, in fact, become the dominant way of thinking about risks in our modern world. As the collective perception suggests that we are currently living in a ‘risk society’, in which risks have become ubiquitous, this provides risk management with a truly vast reach indeed. Researchers far beyond the realm of Safety Science now use risk management to study risks. Governments have embraced risk management as a key asset to prioritise decision-making on public policy issues. And businesses use risk management as a core business strategy. However, in recent years some scientists have started questioning whether risk management is in fact a suitable tool for any and all risks.
This course takes on the wider view and covers both the traditional risk management paradigm as well as alternative approaches to cyber risks by looking at risk through the lens of social sciences. This means that in a first step cyber risk (management) concepts and definitions are studied together with the more traditional risk management approaches inspired by the world of engineering. Models and metrics for cyber risk assessment are covered with due attention to their limitations. Students will critically reflect on the effectiveness of risk management models and risk mitigation strategies.
In a second stage, students will reflect on particular forms of risk, especially those that are generated intentionally by human beings (as is the case, e.g. in terrorism or criminal activities) that cannot be ‘modelled’ adequately. Maybe for these types of risk, risk management is less suitable as an approach.
In the field of cybersecurity risk management still has an unchallenged status. However, in light of the fact that cybersecurity incidents are often instigated willfully by human beings (hackers, cybercriminals, state actors) it may seem wise to question this unchallenged status. Are cybersecurity risks similar to terrorist threats? And if this is the case, should we not study them using other risk approaches rather than risk management – or better yet: should we not complement our risk management approach in cybersecurity with risk approaches as these are commonly used in other scientific fields, most notably in the social sciences?
By joining both the traditional risk management approaches to cybersecurity with an exercise in breaking open established paradigms and bringing in a view from the social sciences, this course aims to
help students understand what the strengths and limitations of the risk management paradigm are, and when it is and is not a suitable approach for cybersecurity challenges;
provide students with a broader understanding of ‘risk’, as conceived in the social sciences.
In order to help students find their footing with respect to a ‘social science approach to cybersecurity’ the course will offer a broad introduction into the social sciences, explaining the underlying worldviews and the topics these sciences focus on. Next, students will be guided through a critical appraisal of risk management as the dominant approach to risk in our modern times. A selection of guest lecturers will showcase their attitude to risk and/or their social science research in the field of cybersecurity, and the course lecturer will help students reflect on the conceptualisations of risk that are embedded in their work.
Course objectives
Basic understanding & knowledge on existing risks and risk analysis approaches and their applicability for analysing cyber risks;
Basic understanding of cyber attacks (including basic technical aspects as well as motives and incentives) and effectiveness and limitations of cyber defense mechanisms and tools;
Understanding & knowledge of an integral approach of cyber risk management;
Ability to identify and evaluate cyber risk factors, appropriate risk mitigation approaches and ways to reduce cyber risks to acceptable levels;
Basic understanding of the worldviews, lenses, and key areas of focus of the social sciences, with a special focus on sociology, public administration/governance and law;
Basic understanding of the ways in which these worldviews diverge from those in the natural sciences (with a focus on engineering), and the impact this has on the questions that are central to the social sciences and the methods and approaches used;
Advanced understanding of the strengths and weaknesses of risk management as a ‘one size fits all approach’ to any and all forms of risk;
Advanced understanding of the perceptions of, and theoretical/empirical approaches to risk in the social sciences, with a focus on sociology, public administration/governance, and law);
Advanced understanding of the relevance of various social sciences (with a focus on sociology, public administration/governance, and law) for cybersecurity;
Advanced understanding of the perceptions of, and theoretical/empirical approaches to understanding human behaviour in cyberspace, with a special focus on cybersecurity.
Timetable
On the right-hand side of the programme front page of the E-Prospectus you will find a link to the online timetables.
Mode of instruction
Lectures, seminars, exercises, class discussion
Lecturers: Prof. dr. Bibi van den Berg, and others.
Assessment method
Assignment
25% of final grade
Grade must be compensated
re-sit not possible
Written exam
75% of final grade
Grade must be 5.50 or higher to pass the course
Re-sit of a fail is possible.
Re-sit will take the same form
Only assessments with the weight of 30% and lower are compensable. This means that one does not have to pass an assessment if it weighs 30% or less in order to pass the course, if the average of all assessments combined is at least a 5.5. In addition, assignments weighing up to and including 30% cannot be re-taken, meaning that if one failed an assessment of 30% or less, one is not allowed to redo it and that assessment must be compensated by the other assessment(s).
Reading list
Compulsory literature and literature for further consultation will be announced via Brightspace.
Registration
No registration is required for lectures and exams.
Contact
Prof. dr. Bibi van den Berg Chantal de Groot, study coordinator
Remarks
For more information see our website.